Re: Chalace - Challenge/Responce password authentification

[gtoal () an-teallach com (Graham Toal)]

: From: Paul Robinson <PAUL () tdr com>

: Gee, this sounds like Phil Karn's S/Key system only without changing the 
: keys.  If it is really something different, a combination of both would 
: be very interesting.

: S/Key seems to be almost identical with this system, including the list 
: of words, the use of a nondisclosed shared secret, and so on.  The only 
: difference being that S/Key generates the challenge on a "one time pad" 
: e.g. the next time you log in it's a different computation because the 
: count isn't the same.  

Unless I missed something, it isn't even as good as s/key.  This one needs
a stored *secret* to generate the response.  In s/key, the host only
stores something derived from the secret, and it can be in a public
file.  So this new thing would be compromised if the host was compromised.

G